exception in AuthDelegateProplist: credential username must not be empty: internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authrad:316,auth/authbase:53,auth/authbase:36,internet/base:1175,internet/base:779,omi/omibase:65,internet/defer:102,omi/omimulti:15,omi/omiauth:62,internet/defer:829,internet/defer:746,omi/auth:516,util/delegate:26,auth/authdelegate:308,util/delegate:26,auth/authdelegate:237,util/defer:224,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:245,internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authrad:316,auth/authbase:53,auth/authbase:36,util/error:61,util/error:44
VPN Auth Failed: u'exception in AuthDelegateProplist: credential username must not be empty

No, 11.4 at the moment.
I'm pretty sure that request for connection and user certificate is properly delivered.
It just seems that radius auth plugin (auth/authrad?) is unable to extract username from cert subject common name (cn=looka) and breaks saying username can't be empty.

Well, with the OpenVPN Access Server product, autologin is based on the CN of the certificate, but is not handled by RADIUS. Meaning, to obtain an autologin profile you use the web interface of the Access Server and you authenticate using RADIUS. Then you obtain an autologin profile that completely bypasses RADIUS authentication for VPN tunnel connections. Even if you now remove the RADIUS server, that autologin profile will still be able to connect.

If I understood you correctly, you are proposing to generate autologin profile (separate p12?) based on initial cert RADIUS authentication via web and then use that? But user would then need to manually 1) access openvpn via web and login with it's cert and 2) install newly generated ovpn/mobileconfig before his VPN would work?
We already have external PKI, and this would basically mean maintaining parallel PKI which seems against the whole point of having PKI.
E.g. how would those access permissions get revoked exactly?

We would like OpenVPN to authenticate those certificates via Radius on VPN connect every time, not only on web interface access.
It's shame it doesn't seem to be able to do that on those cases, since it clearly already is able to do that.
Also, end users would not be required any additional steps whatsoever.